Release notes and FAQ
FAQ - General
How do you provide social login?
The OneWelcome Identity Platform can provide social registration and login with Facebook, Google, and LinkedIn out-of-the-box. Other social networks can be integrated when needed.
Why are emails not received by users?
Most of the time, this is due the fact that the From address in emails from the OneWelcome Identity Platform doesn’t have an SPF record set in your DNS.
You must configure these settings in your DNS:
-
If a record exists, add the following to the line:
include:spf.onewelcome.com -
If a record does not exist, create a TXT record like this:
v=spf1 include:spf.onewelcome.com -all
Common practice: Create a separate subdomain for receiving emails and add this to your DNS record. Thales can also facilitate DKIM as an addition.
Why doesn’t the OneWelcome Identity Platform warn about unknown usernames or email addresses?
The resend activation and password reset flows always say an email has been sent, regardless of whether the email exists or not. Why doesn’t the OneWelcome Identity Platform tell the user that they entered an unknown username or email address? Google and facebook have such a message.
GDPR regulations demand privacy by design. As a consequence, the OneWelcome Identity Platform has designed the (re)send password reset process and the resend activation email process so that it always pretends that the requested email is sent. In this way, no information is leaked to an unknown person about whether the account or email is registered. Thales thinks the Facebook and Google approach might not be compliant with GDPR regulations.
Furthermore, one could argue that "almost everybody is on Facebook or is using Google". The point is that privacy would not be violated to the same degree.
What is IDaaS?
IDaaS stands for Identity-as-a-Service. It is an authentication infrastructure that is built, hosted, and managed by a third-party provider. As such, it allows organizations to manage identities for consumers, employees, and business customers in a flexible and efficient way, on a cloud platform that is maintained and kept up to standards by an expert supplier.
IDaaS provides organizations with advanced IAM capabilities without having to deal with complex underlying infrastructures, policies, and practices that are necessary for maintaining high standards for compliance and security.
The OneWelcome Identity Platform's IDaaS solution provides an even broader set of capabilities, with advanced features for authentication and delegation management. The term Identity and Access Management-as-a-Service would be more appropriate.
Types of IDaaS
There are different types of IDaaS, which also require a different approach. Whether you have to manage identities of employees, consumers, or B2B partners, the OneWelcome Identity Platform provides the premium platform to securely connect identities and protect data.
FAQ - Release management
What does your release management and deployment process look like?
The OneWelcome Identity Platform maintains a product roadmap. This roadmap provides direction and guidance, and prioritizes strategic product development. Items from the roadmap are prepared in close alignment between the product management and engineering departments before the are picked up by our engineering organization for development.
Engineering maintains a release plan that includes these roadmap items and other development work, including research, technology upgrades and lifecycle management, bugs, security, refactoring, and smaller product changes. The plan assigns priorities and indicates when work is expected to be finished.
Engineering also maintains a release schedule, which is a fixed schedule of when new product releases become available. Depending on the identity app or deployment platform, a release results in the immediately production deployment (and thus is available to our customers) or is made available to our delivery and operational teams for a future production deployment. In this case they maintain a deployment plan and deployment schedule.
Release and deployment schedule
Single-tenant deployments
This includes our Identity and Access Core and User Journey Orchestration (Tulip only).
| Release Schedule | Deployment Schedule | |
|---|---|---|
| Identity and Access Core - Tulip (GTT) | Every 2 weeks | Approx. every 3 months |
| Consumer Identity and Access - CIM (AWS) | Upon request | Upon request |
Multi-tenant deployments
This includes all our identity apps: Delegations and Relations, Consent and Preferences, Mobile Identity, and Externalized Authorization.
| Release Schedule | Deployment Schedule | |
|---|---|---|
| Non-service impacting changes (deployments without downtime or breaking changes) | Continuous | Continuous |
| Service impacting changes (deployments with downtime or breaking changes) | Continuous | Approximately every two weeks |
On-premises
This applies to only the on-premises version of Consumer Identity and Access and the Token Server, part of Mobile Identity.
| Release Schedule | Deployment Schedule | |
|---|---|---|
| Consumer Identity and Access - CIM | Infrequently | Customer responsibility |
| Mobile Identity - Token Server | Infrequently | Customer responsibility |
FAQ - Technical capabilities
Which browsers are supported?
The OneWelcome Identity Platform is built on common, modern web standards and can be used by any modern browser. If you experience issues, make sure you run the latest stable release of your preferred browser and allow first-party cookies. Some of our customers choose to embed tag managers, feedback agents, and similar technologies. These might be blocked by add or tracker blockers. Make sure to disable these blockers for the specific site, if you experience issues.
| Desktop support | |
|---|---|
| Chrome | Latest stable release |
| Safari | Latest stable release |
| Edge (Chromium) | Latest stable release |
| Edge (non Chromium) | Best effort* |
| Internet Explorer | Best effort* |
| Firefox | Latest stable release |
| Mobile support browsers** | |
|---|---|
| Android | Chrome, latest stable release |
| iOS/iPadOS | Safari, latest stable release |
*Best effort: Even though most functionality is expected to work in best effort browsers, the OneWelcome Identity Platform does not actively support best effort browsers and does not guarantee functionality to work or be visually correct in these browsers. Best effort browsers are not part of our quality assurance process.
**Mobile supported browsers: Even though most functionality is expected to work on other browsers (manufacturer browsers, such as the Samsung Browser) and embedded browsers in apps, they are not part of the OneWelcome Identity Platform test suite. The OneWelcome Identity Platform treats these browsers as best effort and therefore does not guarantee functionality to work or be visually correct in these browsers.
Beta, developer, or custom versions of any browser are considered best effort and are not actively supported. If you experience issues, make sure to use the latest stable release of your preferred browser.
What devices (hardware/operating systems) are supported?
The OneWelcome Identity Platform delivers software-as-a-service that can be accessed via any web-enabled device. User interfaces, for example, self-service, password reset, and so on, are available through any modern browser, and do not require any specific hardware to operate. Since the OneWelcome Identity Platform is offered as a service, there is no on-premises installation needed.
How can multiple systems or applications use the same identity?
Multiple systems (such as an invoice portal, bidding portal, or customer inquiry portal) can easily use the same identity by all connecting to the OneWelcome Identity Platform, using the same identity stores.
The OneWelcome Identity Platform acts as the single, aggregated identity store for all relying applications. These can integrate with OneWelcome Identity Platform through various different protocols, such as SAML, OAuth, OpenID Connect, SCIM, and so on, to allow for single sign-on or provisioning of identity information.
Which program languages are supported through APIs?
The OneWelcome Identity Platform exposes REST APIs.
Which authentication, federation, and SSO technologies do you support?
-
The OneWelcome Identity Platform supports the modern, common standards for authentication, federation, and SSO: SAML 2.0, OAuth 2.0, and OpenID Connect 1.0.
-
OAuth 2.0/ OpenID Connect authentication: The OneWelcome Identity Platform supports authentication to any OAuth 2.0 authentication server (provider), such as Facebook, Google, or LinkedIn.
-
Federation: This module is used together with the federation framework to configure SAML2 as a service provider.
What is the process of an invited registration compared to a self-registration?
When starting the registration, details to set up the identity are provided, such as name, email address, phone number, and so on. When the information is provided, the user receives a verification step by email or SMS, to confirm their identity. After verification, the user can set their password and, if desired and configured, connect social accounts for future authentication.
Self-registration can also be done by using social IDs. The customer can, in a later stage, keep these identities coupled or uncouple them. The OneWelcome Identity Platform can support all social logins that have standards for authentication. Most common are Facebook, LinkedIn, Google+, Twitter, and Microsoft.
Is it possible to use our own SSL certificates for service URLs?
Yes, the OneWelcome Identity Platform by default recommends using client SSL certificates for all services.
FAQ - Security
How are credentials stored and encrypted?
Email address management and password management
Where do you host your services?
Our services are securely hosted in virtual data centers.
The IDaaS Core, User Interaction, User Journey Orchestration, and Consent Lifecycle Management capabilities are provided in a private tenant model from GTT Interoute data centers in Europe. We have main nodes in Amsterdam, Paris, Milan, and Frankfurt, with optional other locations in Europe.
OneWelcome Mobile Identity and B2B / RITM are hosted in a shared tenant setup run on AWS infrastructure in three availability zones that are set up in EU West.
FAQ - SSO
Which federation protocols does the OneWelcome Identity Platform support?
The OneWelcome Identity Platform supports most common identity and access management related protocols, such as OpenID Connect and OAuth.
Does the OneWelcome Identity Platform support the AD user secondary data store?
Authentication with both on-premises active directory implementations our cloud-based Azure AD can be offered through OAuth/OIDC integration.
Release notes
You can find the following release notes and announcements for the OneWelcome Identity Platform:
